Use SSL with WebSphere MQ transport for SOAP

Using SSL with WebSphere MQ transport for SOAP

WebSphere MQ transport for SOAP provides several SSL options that can be specified in the WebSphere MQ URI for use with client connections over a channel configured to run in SSL mode. There are differences in these options between the .NET and Java environments but the SOAP/WebSphere MQ senders and listeners process the SSL options that are applicable to that particular environment and ignore those which are not.
The presence or absence of the sslCipherSpec option for .NET clients and the sslCipherSuite option for Java clients determines whether SSL is used or not. If the option is not specified in the URI then by default SSL is not used and all other SSL options are ignored. All SSL options are optional except where indicated.
For WebSphere MQ clients, where a local queue manager is not used, you should set the SSL attributes in the URI or channel definition table. On the server, you should set them using the facilities of WebSphere MQ. By default, the standard WebSphere MQ SSL option "Always authenticate parties initiating connections to this channel definition" is set when enabling SSL on the channel. This means that clients are required to authenticate themselves before SSL communication can commence. They do this by sending their certificate to the server system. If this option is not set, then SSL communications are established without client authentication. If using client authentication, it is essential that the client's key repository has a certificate assigned which is acceptable to the queue manager. For additional security, WebSphere MQ channels can be configured to only accept certificates the Distinguished Names of which match a required set of values. If an SSL Peer Name is set on a channel, the client's certificate must match the values specified in SSL Peer Name. Refer to WebSphere MQ Security for details on the use and specification of the SSL Peer Name parameter for WebSphere MQ channels. The parameter is called SSLPEER when it is used in the MQSC DEFINE CHANNEL command.
In SOAP/WebSphere MQ the only difference in this specification is that the entire SSL Peer Name string in the URI for these connections has to be enclosed in parentheses. This is shown in the following example: SSLPeerName="(CN=MQ Test 1,O=IBM,S=Hampshire,C=GB)"
For more details on the CipherSpecs and CipherSuites supported, refer to WebSphere MQ Security and to WebSphere MQ Using Java. For information about using the MQSCO structure on an MQCONNX call, see WebSphere MQ Application Programming Reference.